[wp-hackers] Re: [wp-trac] Re: [WordPress Trac] #3592: Links with double-quotes fail to validate

Mark Jaquith mark.wordpress at txfx.net
Wed Jan 17 19:14:51 GMT 2007

On Jan 17, 2007, at 9:38 AM, WordPress Trac wrote:

>  there still exists a XSS vulnerability due to a "author" being  
> able to add
>  Javascript to the links via events (such as onClick, onMouseOver,  
> etc)

Authors without the unfiltered_html capability have their posts  
filtered by KSES, eliminating the XSS risk.  This is just an issue of  
XHTML validation.

Mark Jaquith

Covered Web Services

More information about the wp-hackers mailing list